[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20060818225151.25485@mail.gmx.de>
Date: Sat, 19 Aug 2006 00:51:51 +0200
From: "Carsten Eilers" <ceilers-lists@....de>
To: <crackers_child@...ersavascilar.com>, <bugtraq@...urityfocus.com>
Subject: Re: Joomla Rssxt <= 1.0 Remote File Include Vulnerability
Hi,
crackers_child@...ersavascilar.com schrieb am Fri, 18 Aug 2006 09:46:12 +0000:
>Title : Joomla Rssxt <= 1.0 Remote File Include Vulnerability
First: There ist no pinger.php or RPC.php in V 1.0.
But they are in 2.0 Beta 1.
So maybe you reportet the wrong version.
>-------------------------------------------
>
>Bug
>
>
>in pinger.php
>
>
>require("../../configuration.php");
>
>require("../../classes/mambo.php");
>
>require("../../includes/sef.php");
>
>require("$mosConfig_absolute_path/administrator/components/com_rssxt/
>class.rssxt.php");
$mosConfig_absolute_path is set in configuration.php.
If it is not manipulated in classes/mambo.php or
includes/sef.php there ist no way to change it.
Surely not in pinger.php.
>in RPC.php
>
>
>require("../../configuration.php");
>
> ...
Same as above.
>rssxt.php
>
>
>include($mosConfig_absolute_path."/components/com_rssxt/includes/
>feedcreator.class.php");
>
>require_once( $mosConfig_absolute_path."/administrator/components/
>com_rssxt/class.rssxt.php");
rssxt.php checks for direct calls, if you call it
direct you got a 'die', but no code-execution oder
file inclusion.
No file inclusion at all.
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
<http://www.ceilers-it.de>
Powered by blists - more mailing lists